Project 9 - IPv6 attack detector (Xu)

Project Overview:
The ultimate goal of this proposal is developing a cross-platform software that can detect specific IPv6 attacks from THC-IPv6 and can even secure the IPv6 network against some types of attack.

Project Plan:

April 23 - May20: Community Bonding Period

May 21 : GSoC 2012 coding officially starts

May 21 - June 17: Design and implement a low-interaction IPv6 Honeypot.

June 18 - June 24: Analyse the existing approaches to detect local IPv6 attacks, then design a new one.

June 25 - July 8: Implement the first alpha version of IPv6 attack detection tool.

July 9 - July 13: Mid Term Assessments

July 9 - July 29: Improve the program, especially the detection engine and the fingerprints, then release beta versions.

*Improved the UI.
+ Added support to configuration file in Globalpot.
+ Added support to save the genuine Router Advertisement message in ./conf/.
+ Improved the configuration file generator.
+ Updated some attack messages and log messages.
+ Give a hint to user, if no configuration files are found.

* Improved the performance.
+ Added BPF filters, so that it can replace the lfilter of scapy when applicable.
+ Removed the prefix of the filename in ./pcap/*, avoiding duplicated files.

* Removed some dead code.

* Updated README.md.

Planed for next week:
* Release the first version.

8th weekly report on 2012/8/13
Done last week:
* Implemented the Globalpot module.
+ Improved the RAguard's implementation, and integrated it into Globalpot.
+ Added support to detecting fake_advertise6, flood_advertise6, flood_solicitate6, rsmurf6, sendpeesmp6, flood_dhcpc6 in Globalpot.
+ Add support to detecting the three advanced host discovery methods used by Nmap or THC-IPv6-alive6 in Globalpot.

* Improved the Honeypot module.
+ Added support to detecting redir6, smurf6, sendpees6,
+ Added support to generating the honeypot configuration in batches.
+ Added some necessary timers.
+ Added support to report security-related events, including [DAD: address in use], and [Neighbor Advertisement].

* Implemented the event module.
+ Added support to detecting dos_new_ip6 and parasite6 by implementing the event module for handling and analyzing the security events submitted by Honyepots.

* Implemented the message module.
+ Added some necessary details in the message entity.
+ Added support to output the captured attacking packets as a pcap file.
+ Avoided the flood messages of the same within a second.

* Improved the logger module.
+ Added support to log the attacking alert in a suitable format.

Planed for next week:
* Improving the detection.
* Improving the UI.
* Testing the whole system called '6guard'.
* Documentation.

7th weekly report on 2012/8/6
Done last week:
* Added support to multiple configuration files and multi-threading honeypots.
* Defined an attack message format, and applied it in some types of attacks.
* Added support to some attack messages of honeypots.

Planed for next week:
* Implement the detection of other IPv6 attacks.
* Combine the honeypots and other detection methods.

6th weekly report on 2012/7/9
Done last week:
* Added some timers to improve the SLAAC implementation.
* Improved ipv6-ra-guard.py to detect different attack types from fake_router6, flood_router6 or kill_router6 of THC-IPv6.
* Improved the usability and robustness of the code.

Planed for next week:
* Implement the detection of NA/NS Spoofing.
* Implement the detection of other IPv6 attacks.
* Use honeypots to detect attacks.
* Combine the honeypots and other detection methods.